• Save

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Web Sign-On with CAS

on

  • 9,248 views

Web Sign-On with CAS

Web Sign-On with CAS

Statistics

Views

Total Views
9,248
Views on SlideShare
9,227
Embed Views
21

Actions

Likes
6
Downloads
0
Comments
0

3 Embeds 21

http://www.slideshare.net 17
http://www.secguru.com 3
http://www.techgig.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Web Sign-On with CAS Web Sign-On with CAS Presentation Transcript

  • Web Sign-On with CAS Happy Users, Developers, Security Officers SecureIT 2006
  • San Luis Obispo, CA Information Technology Services Ryan Matteson, CISSP Technical Security Officer March 22, 2006 2
  • Overview Case study: Cal Poly’s implementation of central web sign-on, with a PeopleSoft integration example Content: some technical, but coding skills not required Technologies covered: Yale University Central Authentication Service (now a JA-SIG project) JA-SIG uPortal LDAP using Oracle Internet Directory PeopleSoft 8.0 & 8.4 March 22, 2006 3
  • Agenda/Contents Motivation / Strategy Implementation and Example Environment, Metrics, Support Lessons Learned Next Steps Questions March 22, 2006 4
  • Cal Poly – Who are we? San Luis Obispo 100 Years Old ~18,000 Students Polytechnic University Engineering, Agriculture, Architecture, Science “Learn by Doing”: technical and professional curricula with arts and humanities. March 22, 2006 5 5
  • Motivation March 22, 2006 6
  • Brief History of Service Delivery Faculty push Student Central Computing Staff March 22, 2006 7
  • Brief History of Service Delivery Complexity: • for users • for support Central Computing • for growth • for security assurance March 22, 2006 8
  • Goal: A More Rational Model Services Faculty Student Staff Service Infrastructure (strategy=centralized infrastructure, distributed services) March 22, 2006 9
  • Requirements: End Users • consistency in access • simplify authentication • content tailored for user • security policies become intuitive “Just let me get my work done!” March 22, 2006 10
  • Requirements: Developers • pre-built solution for common tasks authentication selection of user population data management • simple / vendor neutral Focus on the service March 22, 2006 11
  • Requirements: Security • consistent enforcement of policy/process • fewer/stronger control points • central monitoring and audit do it once / do it right risk aggregation (or perhaps not) March 22, 2006 12
  • IT Considerations Vendor neutrality Integration with current and future vendor offerings Reusable by other web apps Higher education best practices Highly available Focus on web authentication March 22, 2006 13
  • Limitation of Scope Web applications There is no standard in this space Requires custom integration with each application Additional time required to implement (but not really) March 22, 2006 14
  • Implementation March 22, 2006 15
  • System Overview PeopleSoft LDAP Oracle Collab Suite CAS Campus Portal Blackboard March 22, 2006 16
  • Customization Look and feel (critical!) Logging (more later) Controls/rules on: credentials login attempts … Much of this is easier/out-of-the-box in CAS 3.X March 22, 2006 17
  • March 22, 2006 18
  • March 22, 2006 19
  • uPortal - Cal Poly Enterprise Portal uPortal is an open-standard effort using Java, XML, JSP and J2EE Began using uPortal Fall 2001 as our campus portal Unified view and/or access to campus services Open / customizable / now common We implemented in 2001 March 22, 2006 20
  • CAS – Yale Central Authentication Service 2003: We want Single Sign-on but how? Evaluated Pubcookie, WebAuth, RSA, Oracle, PeopleSoft, our own internal solution (~2002) CAS: simple to install and configure Not a standard, but promise of defacto Easy app integration, many examples Delivered integration for uPortal Application can authenticate without the users credentials directly (not credential shuffling) March 22, 2006 21
  • CAS Authentication Process Web User interaction No user interaction Login Service (CAS) 3 Web Login 7 Username Service recognizes provided to user session application 6 4 Login Application validates Service 8 ticket provides ticket Application 1 User requests access decides if user is Web 2 Browser redirected to Login Service User authorized App 5 Ticket provided to application 9 User gets access March 22, 2006 22
  • Pre-conditions: IdM • or any other source of –reconciled identity –authentication (and credential management) • Oracle Internet Directory, 9i • Currently single source of username and password • Allows non-web based apps to authenticate • Reconciled data from HR, Foundation, ASI, Student Info Systems, … (Data Warehouse, IdM) • Was in place before CAS (2001) • Feel free to contact me for details March 22, 2006 23
  • Example: PeopleSoft PeopleSoft 7 → 8 migration in 2003 Making PeopleSoft use a central authentication service (besides PSSO) Display content via uPortal Neither most simple or complex integration we’ve done March 22, 2006 24
  • PeopleSoft: Implementation Accept a ticket and then validate it PeopleSoft accepts CAS ticket parameter as part of login PeopleCode calls Java client CAS Java client performs the CAS validation March 22, 2006 25
  • PeopleSoft - Implementation Function VALIDATE_TICKET() /* rmatteso@calpoly.edu 20030122 Trusted Authentication Impl */ If %PSAuthResult = False Then &validator = GetJavaClass("PSCASClient"); /* retrieve fullUrl and ticket value from HTTP request */ &fullUrl = %Request.FullURI | "?" | %Request.QueryString; &ticket = %Request.GetParameter("ticket"); If &ticket <> "" Then /* have a ticket, load CAS client class and attempt to validate */ &cas_result = &validator.validate(&fullUrl, &ticket); If &cas_result <> "" Then SetAuthenticationResult( True, &cas_result, "", False); &authMethod = "SLO"; Return; End-If; /* got username back from CAS */ End-If; /* got ticket */ End-If; /* user not yet authenticated */ End-Function; March 22, 2006 26
  • PSCASClient.java URL u = new URL( validateURL + "?ticket=" + ticket + "&service=" + service); BufferedReader in = new BufferedReader( new InputStreamReader(u.openStream())); if (in == null){ return null; }else { String line1 = in.readLine(); String line2 = in.readLine(); if (line1.equals("no")){ return null; }else{ // make fully qualified username ("jdoe@calpoly.edu") // into PSFT username ("jdoe") return line2;.substring(0, line2.indexOf('@')).toUpperCase(); } } March 22, 2006 27 27
  • PeopleSoft - Implementation Configure SLO_AUTH hook in PeopleSoft Sign-on Page (Exec Auth Fail) March 22, 2006 28
  • Set Exec Auth Fail PeopleCode March 22, 2006 29
  • PeopleSoft - Implementation Customize HTML files now that original sign-on page is obsolete (UI smoothing) • index.html • Logout_page.html (new) • Signin_alternate (new) • Signon.html • signonError.html (new) • Cookiesrequired.html Modify configuration.properties to point to new HTML files Install CAS client jar, class files March 22, 2006 30
  • Issues It’s never that easy . . . Service URL we use for CAS had to contain userid/pwd parameter PeopleSoft cookies After PTools upgrade (2003) HTTP GET no longer worked, POST required March 22, 2006 31
  • March 22, 2006 32
  • Working With Vendors / Developers Important: • Roles and responsibilities • Guidelines and examples for your campus • protocol is consistent, but use may vary • emphasize simplicity • SSO is a selling point • Vendor “sale” is getting easier • Provide a test environment • Opportunity to talk about account provisioning, data access, security expectations, and big picture • Have a sign-off/approval process March 22, 2006 33
  • Environment March 22, 2006 34
  • Non-Technical Challenges Executive mgmt buy-in, enterprise wide view Data providers, Application managers Information Security Officer, Registrar Information quality (IdM) is key Skepticism Too hard to implement Don’t see the value Fear of losing control of authorization Can be a chicken/egg problem – but once you crack it everyone wants it. March 22, 2006 35
  • Technical Specifications PeopleSoft LDAP Oracle Collab Suite CAS Campus Portal Blackboard March 22, 2006 36
  • Technical Specifications CAS servers Central Authentication Server 2.X Servers: Sun Netra T1 500 mhz, 1 GB RAM Solaris 9 Three servers high availability Cisco switches provide failover March 22, 2006 37
  • Technical Specifications LDAP servers Oracle Internet Directory: 9.X Servers: Sun Netra T1 500 mhz, 1 GB RAM Solaris 9 Three servers for high availability Cisco hardware provides load balancing and failover March 22, 2006 38
  • Technical Specifications uPortal server uPortal 2.1.X (moving to 2.5.X) One server: Sun E450 (now 2 x V480) 4 - 400 mhz, 4 GB RAM (now double) Solaris 9 March 22, 2006 39
  • Usage Logs Logging to multiple locations, including database • Usage level, capacity planning • Troubleshooting • Security audit • Incident response • Supplement application logs March 22, 2006 40
  • 0 10000 20000 30000 40000 50000 60000 March 22, 2006 2005-01-01 2005-02-20 2005-04-11 2005-05-31 Usage Metrics 2005-07-20 2005-09-08 2005-10-28 Logins Per Day - Jan 2005 - Feb 2006 2005-12-17 2006-02-05 2006-03-27 41
  • Usage Metrics Users Per Day - Jan 2005 - Feb 2006 20000 18000 16000 14000 12000 10000 8000 6000 4000 2000 0 2005-01-01 2005-02-20 2005-04-11 2005-05-31 2005-07-20 2005-09-08 2005-10-28 2005-12-17 2006-02-05 2006-03-27 March 22, 2006 42
  • Usage Metrics Users Per Month - Jan 2005 - Feb 2006 45000 40000 35000 30000 25000 20000 15000 10000 5000 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 2005 2005 2005 2005 2005 2005 2005 2005 2005 2005 2005 2005 2006 2006 March 22, 2006 43
  • Usage Integrated, by functionality: Integrated, by technology: Campus Portal (uPortal – same to users; Java 20,000+ users) PL/SQL (Oracle SSO) Admission process (within portal, 30,000+ Perl users) PeopleSoft Finance, HR, SA PHP Blackboard PeopleCode (PeopleSoft SSO) E-mail, Calendar (soon: other OCS apps) Remedy .Net Student Payroll Meal Plan Associated Students Incorporated services On-campus Housing Career Services Variety of services hosted by academic units March 22, 2006 44
  • Support March 22, 2006 45
  • Support Technology is very low maintenance CAS Production updates: ~ 3 hrs month Reviewing logs, usage patterns: ~ 4 hrs month Credential management Password management – in a single location now Made passwords more secure March 22, 2006 46
  • Outreach Grant: Extending the Reach Helping member campuses directory services and CAS PeopleSoft and Oracle integration Funded by the NSF Middleware Initiative through the NMI-EDIT Consortium of Internet2, EDUCAUSE, and SURA Other campuses also using CAS March 22, 2006 47
  • Next Steps Implement Student Administration SSO now in place with HR and SA Admissions module Testing with PeopleSoft version 8.9 CAS 3.x Redundancy for uPortal (completed Fall 2005) Alternate authentication methods Shibboleth – demonstrated integration Oct 2004 Ongoing integration on campus technology review process March 22, 2006 48
  • One Vision: “Pan Galactic” Service Delivery Cal Poly Stanislaus Chico CAS Services Services Services Services Services Service Service Infrastructure InfrastructureCAS CAS Services Shib March 22, 2006 49
  • Lessons Learned Technical lessons Involve campus Information Security Officer (ISO), CIO at the beginning “It’s all about the data” Ongoing process Department’s understanding Work with application programmers for integration and testing challenges March 22, 2006 50
  • References This presentation On SecureIT site, or e-mail for latest version CAS http://www.ja-sig.org/products/cas/ JA-SIG http://www.ja-sig.org/ uPortal http://www.uportal.org/ PeopleBooks Cal Poly’s PeopleSoft Single Sign-on Guides http://www.calpoly.edu/~cms/ExtAuthentication/index.html March 22, 2006 51
  • QUESTIONS? Ryan Matteson Technical Security Officer/Cal Poly rmatteso@calpoly.edu Integration for PeopleSoft SSO: http://www.calpoly.edu/~cms/ExtAuthentication/index.html Integration samples for Oracle SSO, Remedy, Blackboard: Available on request March 22, 2006 52